Hello!
I’m using a Windows Server 2003 with a 3Com Office Connect Wireless ADSL 11g firewall Router …
The last time I checked the Security log, I’ve found some unusual things:


2006.05.12 17:03:00 **Smurf** xxx.206.193.255, 2292->> xxx.206.216.209, 80 (from ATM1 Inbound)
2006.05.12 17:02:57 **Smurf** xxx.206.193.255, 2292->> xxx.206.216.209, 80 (from ATM1 Inbound)

2006.05.11 00:00:26 xxx.168.1.2 login success
2006.05.11 00:00:20 If(ATM1) PPP connection ok !
2006.05.11 00:00:19 ATM1 get IP: xxx.206.216.209
2006.05.11 00:00:18 ATM1 start PPP
2006.05.11 00:00:18 ADSL xxxxxxx !

I know few about security matters, but I think that something happened here? A cracker was maybe able to break into my network?
I though that having a router with a firewall would keep me away from these attacks! It seems like it’s not true!
I really need your help in this issue, you are the experts and I’m in a big trouble!

My questions are:
-Could you explain the meaning of this log? (Expressions like Smurf? numbers after the IP addresses?)
-How was this cracker being able to bypass my firewall?
-When he was inside my network, what was he able to do?
And the most important question is: -How can I protect myself from these attacks?

I appreciate your help,
Best regards
Xouy

Looking at your log, all I can see is an attempted "smurf attack", which means that the router detected it and blocked it. Don't forget that the newest entries in the log ar at the top, so the detected attack was the last event. For a description of what it was, see http://en.wikipedia.org/wiki/Smurf_attack

Numbers after the IP addresses show the ports involved, port 80 being the usual port for HTTP (web) traffic, for example.

The bottom part of your extract shows the ADSL modem loggin onto your internet connection and is nothing to do with the smurf attack, nor any other kind of attack or unexpected login.

So your questions aren't really relevant, since you're already protected and no hacker was able to get into your server or network. You already have adequate protection and your firewall appears to be doing its job. Congratulations. ;)

Hi!
Thanks a lot for your answer trickyricky ;)
It feels great to know that my router can block smurf attacks
I think that the second part of the log is NOT a normal login to my ADSL connection; I believe it’s another sort of attacks using PPP… because before I was getting connected normally to the internet without these lines in the log, also it’s written in the router’s manual that this log contains only the attempts that have been made to gain access to my network, the most strange thing is that the xx… (I replaced them) represent the name of some people that I know and that I do not particularly like :(

2006.05.11 00:00:20 If(ATM1) PPP connection ok !
2006.05.11 00:00:19 ATM1 get IP: xxx.206.216.209 (this is my IP)
2006.05.11 00:00:18 ATM1 start PPP
2006.05.11 00:00:18 ADSL xxxxxxx (Their name) !

If you are sure that it’s not an attack, please confirm this to me, because, you see that I’m having a lot of trouble figuring out what happened…:'(

What name is it that you replaced? PM it to me if you don't want to post it in an open forum message.

The log lines are as follows - remember that the one originally at the bottom is the first entry in the sequence:

> 2006.05.11 00:00:18 ADSL xxxxxxx (Their name) !

I wonder what the xxxxxxx stands for?

> 2006.05.11 00:00:18 ATM1 start PPP

This is the start of the ADSL connection to your exchange/ISP

> 2006.05.11 00:00:19 ATM1 get IP: xxx.206.216.209 (this is my IP)

This is your ISP assigning your IP address (or agreeing it if it's fixed)

> 2006.05.11 00:00:20 If(ATM1) PPP connection ok !

All done - you're up and running.

So all it is is the router (well, the modem in the router box) negotiating your ADSL link with your ISP and getting to the state where all is established and ready for use.

I still don't see anything to be worried about. It all looks very normal to my eyes.

Okay, I see ... Thanks again :)